Phish & Chips: Serving Up Tycoon 2FA’s Secrets

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Recently, the eSentire Threat Response Unit (TRU) has observed a significant increase in Tycoon 2FA Phishing-as-a-Service (PhaaS) cases compared to other phishing kits like Sneaky 2FA or Mamba2FA, accounting for 40% of user-account compromise cases in 2025 so far.

In mid-March 2025, eSentire SOC identified a connection to an Adversary-in-The-Middle (AiTM) phishing site hosting Tycoon 2FA. Tycoon 2FA is a sophisticated phishing-as-a-service (PhaaS) platform that emerged in August 2023, designed to bypass multi-factor authentication (MFA) and steal session cookies from Microsoft 365 and Gmail accounts, as mentioned in Sekoia’s blog.

It uses advanced evasion techniques and is continuously updated, making it a significant threat to users and organizations. In recent campaigns, we have observed a shift away from using Cloudflare Turnstile captchas to the implementation of a custom algorithm to generate captchas.

This blog provides a technical analysis of a recent Tycoon 2FA phishing campaign, breaking down each stage of the attack chain. We examine the initial phishing email, the sophisticated evasion techniques employed, including custom CAPTCHA implementation, anti-debugging mechanisms, and traffic filtering methods.

The analysis also covers the credential harvesting process, focusing on how the phishing kit handles user authentication, encrypts communications, and exfiltrates stolen credentials. Lastly, we also provide indicators of compromise and tactical recommendations to help cybersecurity leaders proactively prevent their organizations from being impacted by similar cyber threats.

Initial Access

Initial access began when the victim received three emails with an attachment named “Accountsreceivable_Payment ReceiptCQDM[.]html”. Upon opening the attachment, the victim was redirected to the phishing kit. Figures 2 and 3 illustrate the emails received and the contents of the attachment.

After decoding the JavaScript embedded within the attachment, we can see that it sets the current URL to the phishing URL, effectively redirecting the victim to the phishing page:

The full phishing URL is as follows: hxxps://4DN[.]urymenised[.]com/IAQiJ/$<Redacted>@<redacted>[.]<redacted>[.]com.

Phishing Page Analysis

Obfuscated Source Code

The source code of the phishing page is shown below. Due to its size, we have compressed the if statements for readability.

First, the code checks if “jaYZrXIacp” is equal to “nomatch” so it won’t jump into first “if” statement but rather to next statement.

The source code within this statement contains a base64-encoded section, which we have decoded below.

The script extracts the domain name “urymenised[.]ru” and path name “/IAQiJ/” from the current webpage URL and compares them against predefined values stored in the JavaScript variable “jEsWFufuvL”. If they don’t match, a 404 Not Found page is displayed.

Custom CAPTCHA Generation

If checks are clean, a Cloudflare Turnstile CAPTCHA is loaded. Cloudflare Turnstile is a CAPTCHA-like service that is being used to prevent scanners/bots from accessing the phishing site.

In the campaigns which eSentire started to observe on March 26th, 2025 (reported on X by “@crep1x” on March 24th, 2025). Tycoon 2FA leverages a CAPTCHA that can be seen in the Figure 7.

The snippet of the code used to generate this CAPTCHA can be seen Figure 8:

It's clear from the figure 8 that the CAPTCHA will either be 4 or 5 characters long and will only contains characters from array “0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”. The remaining code is used to create the CAPTCHA image and add noise to it.

Researchers have also observed a recent change in the Tycoon 2FA CAPTCHA, reported by @RacWatchin8872 on April 09th 2025 where the CAPTCHA is generated using a set of random icons, with one duplicated. The user is required to identify and click the duplicate icon in order to pass the verification check.

Anti-Debugging and Evasion Techniques

Code obfuscation using invisible Unicode characters
JavaScript within the HTML contains an obfuscated/invisible string that can be seen in the following Figure 10. The hex representation of the source can also be seen below, where we identified a pattern making use of invisible characters.

The invisible data contains Unicode characters Hangful filler (“ㅤ”, (U+3164)) and Halfwidth Hangful filler (“ﾠ”, (U+FFA0)). We have highlighted the characters in yellow, but they are white spaces with different widths. Halfwidth Hangful filler characters are replaced with 0 and Hangful filler with 1 to create a binary representation, which are decoded to reveal the anti-debug code.

CyberChef Query:

Regular_expression('User defined','.',true,true,false,false,false,false,'Highlight matches')
Find_/_Replace({'option':'Regex','string':'ﾠ'},'0',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'ㅤ'},'1',true,false,true,false)
From_Binary('None',8)

Anti-Debug Mechanisms

The JavaScript code below is an anti-debugging and anti-tampering mechanism designed to block bots, prevent users from inspecting the page, and detect browser debugging tools. It disables right-click, blocks key shortcuts (F12, Ctrl+Shift+I, etc.), and checks for headless browsers like Selenium and Burp Suite to restrict security testing.

Additionally, it uses a debugger trap with performance timing to detect DevTools usage and redirects users to “about:blank” or Walmart’s website if a debugger is detected.

Traffic Filtering

Before proceeding, the page generates two requests for verification and telemetry capture (Figure 13). The checks are likely a gate to filter bots/scanners with CAPTCHA as an additional barrier.

The first request involves a HTTP GET request to hxxps://gyp3d[.]gadyks[.]ru/chai@a25vgd9g. This either returns 0 or 1 depending upon the source making the requests. We will call these domains as “Check Domains” throughout the blog since it is being used to check the source legitimacy.

If the server responds with 0, a subsequent HTTP POST request is formed and a second request is sent to a verification endpoint (4dn[.]urymenised[.]ru/tvTX3SP4cn3680cAhBtRt8y5g9ILRX6FQKJ8im). This POST request includes fields for IP address, User-Agent string, etc.

Notably, when comparing the POST request data with newer variants including the custom CAPTCHA, it appears to be the same.

If the response from the POST request is “success”, the page is reloaded whereby new HTML code is inserted.

Post-CAPTCHA Refresh

The new page’s source code differs from the original source code and contains no CAPTCHA checks. This code (seen in Figure 14) decrypts HTML content (Figure 15) which is base64 encoded and XOR’d with a hardcoded key passed to the function (see CyberChef recipe here).

The first encoded function in Figure 15 is anti-debug code seen in Figure 12. The second base64 creates a non-malicious html webpage of “We Craft Digital Excellence” which is displayed if the anti-debugging checks fail.

Email Extraction

The remaining code shown in the Figure 16 below containing the variable “WyEyKWzVEA” splits the current URL with the delimiters: “#”, “%23”, “?”, “*” or “$”. Note, the URL resembles, “hxxps://4dn[.]urymenised[.]ru/IAQiJ/$<redacted>@<redacted>[.]<redacted>[.]com”.

Since the URL contains the delimiter “$”, the value after the delimiter is extracted, i.e. “<redacted>@<redacted>[.]<redacted>[.]com” and it is then concatenated with “WQ”, as seen below.

An HTTP POST request is then sent with this data to the URL to the URI path shown below, where the response contains an encrypted next-stage URL and inputs described in the next section.

Credential Harvesting and Exfiltration

Sign-In Page URL Decryption
The encrypted payload and inputs can be seen in Figure 18 where "a" is encrypted next stage URL (https://4dn[.]urymenised[.]ru/htieeuhlbqwfqqhicqijqjoacdwtL5O3KXEZ05DV757HXF?LFZATEFADCPUNSMWZUEMVKHLILZZQK). The kit uses CryptoJS AES to decrypt the payload using the supplied inputs.

Register('([\\s\\S]*)',true,false,false)
Derive_PBKDF2_key({'option':'Hex','string':'6661373066663661386261373065333938393764653536653839363735656664'},256,999,'SHA512',{'option':'Hex','string':'8ed24ea6e6950b7bd21ede3c1f60889e'})
Register('([\\s\\S]*)',true,false,false)
Find_/_Replace({'option':'Regex','string':'.*'},'$R0',false,false,false,true)
From_Base64('A-Za-z0-9+/=',true,false)
AES_Decrypt({'option':'Hex','string':'$R1'},{'option':'Hex','string':'cacdaa17dc7dc71cd0e50656e4f5846a'},'CBC','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})

Credential Submission and Validation
After submitting credentials, the phishing kit prompts for the 2FA code from the victim.

This page contains similar anti-debug, and anti-bot checks that we observed in prior pages. If these checks fail, the page redirects to website Etsy (Etsy[.]com).

Unlike the prior page, this page allows victims to copy/paste into the input fields. The code responsible for this can be seen in the Figure 21.

This code intercepts any copy event, checks if the copy is happening in a non-editable part of the page (like regular text or non-input fields), prevents the default copy action, and then places a custom string ("CLCQpRExmP") into the clipboard.

Moving on to the interesting code which when decoded from base64 and XORing the data returns the sign in page with anti-debug code.

After decoding a key section of this page from base64, we can see the victim’s browser name is acquired via user agent parsing, as seen in the Figure 23.

The Figure 24 displays the function used in encrypting data sent/received from/to the client/server which is proxying the credentials/traffic to target site/Microsoft site to validate credentials.

The Figure 25 contains the code used in generating a random route depending on the victim’s credential type.

The randomly generated pattern is then appended to the URL where credentials are sent via HTTP POST.

The Figure 27 displays five POST requests sent, where different random strings can be seen appended to the end of the URL. Based on the starting bytes, we can determine the credential type being sent:

• 23 – is for “twoofselected” route
• 90 – is for “twoofaselect” route
• pq – contains email
• rs – also contains email
• yz – contains password

The Figure 28 shows how CyberChef can be used to decrypt all the POST request URLs using the AES key and IV noted in Figure 24.

Threat Actor Infrastructure and Indicators

TRU observed specific words being used in the check domains followed by special characters (!, @ and $),

ando, gando, jawari, kella, machlo, phudi, rand, chiriya, kabutar, chai, loray, tatay

Although we have encountered a countless number of phishing domains, these check domains were seen less in numbers and repeatable in various phishing links. Using these words, we can search UrlScan for any recent check domains and block them.

QUERY -

page.url:/.*/(ando|gando|jawari|kella|machlo|phudi|rand|chiriya|kabutar|chai|loray|tatay)[!@$].*/

Authentication Observables

TRU observed Tycoon 2FA-related authentication activity using the tell-tale user agent “Axios/1.X.X” from IP addresses tied to organization “GLOBAL CONNECTIVITY SOLUTIONS LLP” a consistent pattern TRU has observed in Tycoon 2FA campaigns.

Additional Information and hunting query on this can be found in our December 2024 Security advisory, Network Infrastructure Abused in Ongoing Phishing Attacks.

What did we do?

• Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
• We communicated what happened with the customer and helped them with remediation efforts.

What can you learn from this TRU Positive?

• Tycoon 2FA is a sophisticated PhaaS kit that allows phishing operators targeting Microsoft 365 and Gmail accounts and to effectively bypass 2FA and capture a session cookie for full access.
• This allows damaging follow-on activities such as email exfiltration, spam, BEC type attacks, internal phishing, and email forwarding/redirection.

Recommendations from our Threat Response Unit (TRU):

• Phishing and Security Awareness Training (PSAT) programs should be conducted to make users aware of these types of attacks.
• Even with PSAT programs in place, there is no way to guarantee users will not fall victim to phishing and BEC attacks. Implementing a 24/7 Managed Detection and Response Service that includes critical so you can revoke session tokens and terminate active sessions.
• Implement Device Compliance policies to limit access to only compliant devices; this tactic disrupts Adversary-in-the-Middle phishing.
• Review best practices provided by Microsoft on how to reduce the risk of token theft and have full visibility across the attack surface.
• Regularly conduct proactive threat hunting for sign-ins from unusual autonomous system labels (ASLs)/user agents/applications, modifications to MFA methods, auto-forwarding of emails to external accounts via forwarding rules, extraction of sensitive emails/contacts, access to single-sign-on (SSO) applications, email redirection, and audit log deletion.
• Limit permissions for creating or modifying existing mailbox rules to trusted users/administrators.
• Disable automatic forwarding to external domains.

Indicators of Compromise

• Indicators of Compromise can be found here.

References

• https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/